Cybersecurity has been a rapidly rising topic of late, not just for the workers’ comp industry, but for the nation and every sector of our economy. Yet, it seems that for many people, cybersecurity and related technology threats are like a hot stove. We know it is hot. We’ve been told it is hot. Yet we don’t really react until we have touched it, and it has burned us. I suppose with some things we need to see for ourselves before we are convinced.
That is unfortunate, as being burned by the world of cybercrime can be far more painful and take much longer to heal than a good old-fashioned stove generated finger injury. And the risk simply isn’t losing your data or having it compromised; the risk now includes a direct threat to limit your ability to simply conduct your business.
You see, compounding the issues for private enterprise, particularly small to medium entities, is the raft of new requirements and standards being deployed by the federal government and large companies across the nation. They are implementing new protections and protocols that could end up excluding the opportunity to conduct business with them if your operation cannot meet their requirements.
For example, the Department of Defense released the Cyber Maturity Model Certification (CMMC) in January 2020 and all DoD contractors must be certified before they can bid on a government project. According to the RSI Security Blog, “All DoD contractors must be CMMC certified by October of 2020 if they wish to be allowed to bid on new government projects. This means that they must have adequate cybersecurity protocols in place, along with the necessary documentation.”
OK, you are thinking, but I don’t do business with the DoD. How does this affect me?
I am so glad you asked.
The CMMC has five levels of tiered certification. Level 5, “Advanced and Progressive Cyber Hygiene” requires that the organization is not only capable of protecting Controlled Unclassified Information, but that their program can change to meet all threats. Most importantly, this level also requires “that its security process is standardized across all networks. This includes any third-party associates.”
That means, even if you do not conduct business directly with the DoD or Federal Government, your ability to do business with companies that do may be severely compromised – or eliminated.
This single development alone is so serious, there has even been a Cybersecurity Forum scheduled to help everyone understand this brave new world in which we now find ourselves. CMMC plays prominently in their agenda. Originally scheduled as a live event to run concurrently with the WCI National Workers’ Compensation Conference in Orlando, it is now being offered as a standalone 2-day virtual event. It is scheduled for September 16 & 17, 2020. They have assembled a very powerful slate of presenters, including Senator Marco Rubio, Florida CFO Jimmy Patronis, Congressman Michael Waltz and more. You can learn more about that event here (and we will cover more on it in this blog as the date approaches).
This new level of hyper cyber protection is not just limited to the DoD. Many large insurance carriers have implemented much stricter security protocols in recent years. Most companies serving large TPA’s or insurers are already seeing extended questionnaire’s regarding their network security practices and cybersecurity protections – even if they do not access or manage any part of their customers network or data. Those that cannot understand or respond to these new standards, risk being left behind.
Understanding the world of cybersecurity is now an essential part of managing your business. And unlike our earlier appliance anecdote, this stove can be interactive. It can reach out and burn you before you even know it has been turned on. As an industry, we best not ignore the threats, and work to understand the risks.